geometry dash wrote:
Hello all,
I’m trying to setup vyos with suricata and send the logs to a remote syslog server. However, all output is printed to console. The console is absolutely unworkable with this output. How can I manage/stop the output from flooding my console.
example console output:
Message from syslogd@vyos at Mar 16 18:23:17 ... suricata[3860]:{"timestamp":"2026-03-16T18:23:17.478329+0000","flow_id":4901417913679168,"in_iface":"eth0","event_type":"dns","src_ip":"<REDACTED>", ...snip...I basically took the suricata config from this post.
My config:
interfaces { ethernet eth0 { address dhcp hw-id <REDACTED> offload { gro gso sg tso } } ethernet eth1 { address <REDACTED_LAN_IP> hw-id <REDACTED> } loopback lo { } } nat { source { rule 100 { outbound-interface { name eth0 } source { address <REDACTED> } translation { address masquerade } } } } service { dhcp-server { shared-network-name lan { subnet <REDACTED> { option { default-router <REDACTED> name-server 8.8.8.8 } range 1 { start <REDACTED> stop <REDACTED> } subnet-id 1 } } } ntp { allow-client { address 127.0.0.0/8 address 169.254.0.0/16 address 10.0.0.0/8 address 172.16.0.0/12 address 192.168.0.0/16 address ::1/128 address fe80::/10 address fc00::/7 } server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } ssh { } suricata { address-group aim-servers { group external-net } address-group dc-servers { group home-net } address-group dns-servers { group home-net } address-group external-net { group !home-net } address-group home-net { address <REDACTED_HOME_NET> } address-group http-servers { group home-net } address-group smtp-servers { group home-net } address-group sql-servers { group home-net } address-group telnet-servers { group home-net } interface eth0 log { eve { filetype syslog type alert type drop type dns type http } } port-group all-ports { port 1-65535 } port-group file-data-ports { group http-ports port 110 port 143 } port-group ftp-ports { port 21 } port-group geneve-ports { port 6081 } port-group http-ports { port 80 } port-group oracle-ports { port 1521 } port-group shellcode-ports { port !80 } port-group ssh-ports { port 22 } port-group teredo-ports { port 3544 } port-group vxlan-ports { port 4789 } } } system { config-management { commit-revisions 100 } console { device ttyS0 { speed 115200 } } host-name vyos login { operator-group default { command-policy { allow "*" } } user <REDACTED> { authentication { encrypted-password <REDACTED> plaintext-password <REDACTED> } } } name-server 8.8.8.8 option { reboot-on-upgrade-failure 5 } syslog { local { facility all { level info } facility local7 { level debug } } remote <syslog_server_ip> { } } }
If the VyOS CLI doesn’t give you enough granularity, you may need to look at the underlying rsyslog quirks, but usually, adjusting the system syslog local facility all level to notice or warning is enough to clear the console flood.
Give that a shot and let us know if the logs stop appearing on the CLI!
Your current config shows:
system { syslog { local { facility all { level info } } } }
This is very “chatty.” Suricata EVE logs via syslog often use the info level. You can try changing the local facility to a higher level (like err or warning) so they don’t print locally, while keeping the remote server config as is.